Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Pre-sale questions transparent vs nat, vlan (Transparent vs nat, vlan, failover, policy)
  •  
bareare

Messages: 27
Karma: 0
Send a private message to this user
Hi

I wish there was a sale-email somewhere, but I'll ask here instead.

We have many servers, mostly webservers and we run transparent mode on a Fortigate unit (so that we don't have to do NAT on every port, we just open each one).

1. KC seems to run in transparent mode unless I activate NAT?

2. Current Fortigate fw doesn't support VLAN in transparent mode. I want to seperate each server from eachother by having their own customer VLAN. Simple? Or do I need to activate NAT for every server and every port?

From what a consultant told us on Fortigate: "Bad news. When I started planning it, I noticed that your FW is running under transparent mode. Most of firewalls run under NAT/router mode. Not many FWs run under transparent mode. In transparent mode, the FW behaves like a layer-2 bridge which just forwards package from port to another port. It also limits on VLAN trunks passing through the unit.So based on our current hardware, it is almost impossible to do the VLAN."

3. I want fail-over: If one fw crash, I need to keep the traffic going. In worst case, just bypass it. Best solution?

4. When having many IPs, how do you do it? In Fortigate, I can give names to each IP and I can also group services and/or these servers so that the rules doesn't fill page after page. In Kerio, I need to create one group for each server?

I'm so tired of costly hw-appliences that costs a lot. I like 90% of Kerio Control, but the biggest problem is the rule-list that will build up quite big. I wish they would compare themselves to Fortinet/Fortigate 200 in this regard.
  •  
ICT and Me

Messages: 936

Karma: 53
Send a private message to this user
Hi Bareare,

First of all Kerio Control is never made to be compared with Fortineet/Fortigate. As those are HIGH end Firewalls. Kerio Control is first of all made for SMB market. But in the years Kerio Control moves to the SME market too. Not by kerio themself but by the resellers and intergrators. Kerio Control is easy to use.

Second the consultant on Fortigate told you the right thing. There are less Firewalls/UTM's that do transparent mode. Most do NAT.
Okay your rules will be a lot, we have too. But Control rules are that simple to create or duplicate and adjust. Much more then Cisco or Fortigate.

About Failover on the Firewalls. Kerio Control doesn't support "heartbeat" monitoring. The only thing what will help is backup every change in configuration so if Control system brakes you can build a new one in minutes. Install Kerio Control on new system and import backup.
And configure the NIC to the right ones. Up and running.

My personal advise will be created a test case to see how it works.
Good luck

ICT and Me
Carlo Turk
The Netherlands
www.ictandme.nl
  •  
bareare

Messages: 27
Karma: 0
Send a private message to this user
Thank you for your answers, I appriciate it Smile

But is Kerio Control by default transparent? I just get that feeling.

I found a document on the website comparing Kerio against Fortigate 200, so it seems like they do want to compete with them. And I think they can, at least on price and user friendlyness for people like me that isn't an expert on network and configuration. For instance Fortigate statistics is based on measuring packets, while Kerio measeres and gives statistics in MB.. I got to set up VPN in minutes when testing just the interface on a virtual machine. So I hope to be able to use Kerio.
  •  
ICT and Me

Messages: 936

Karma: 53
Send a private message to this user
Kerio Control is transparent as proxy, yes.
Not the way you want it. And yes Kerio want to compete with them but for me they don't do that on Cisco/Fortigate/Juniper level.
Kerio Control is indeed easy and very well priced. And it becomes more and more mature like Cisco/Fortigate/Juniper.
Still my advise is to use NAT because it is much safer.

ICT and Me
Carlo Turk
The Netherlands
www.ictandme.nl
  •  
bareare

Messages: 27
Karma: 0
Send a private message to this user
How do I actually do NAT here.. Can I have a list of services and choose NAT in the Translation-column and that's it? Or must I have one service on each line in traffic-rules.
  •  
ICT and Me

Messages: 936

Karma: 53
Send a private message to this user
Services you choose in Service column and the server to NAT will be place in Translation.
See example. A IP-PBX example.

  • Attachment: example.png
    (Size: 11.47KB, Downloaded 290 times)

ICT and Me
Carlo Turk
The Netherlands
www.ictandme.nl
Previous Topic: How can I edit proxy.pac
Next Topic: PPTP pass through
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Aug 21 21:32:08 CEST 2017

Total time taken to generate the page: 0.00475 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.